fluent-plugin-secure-forward 0.3.4 → 0.3.5pre1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bb950a6a82fcb71e21a56f55ec30826c5e9ddf3f
-  data.tar.gz: 12df6a78237b207ed07d0eed7fca8a71f7dcb942
+  metadata.gz: dbd0f5d3a80da4fb3d6c86664b6a339c2dd9ab69
+  data.tar.gz: fcd62fa11d69cdab0eedb7a58f1a7ee904fef8cb
 SHA512:
-  metadata.gz: 4c40796160884581c62f260fd971ef694c98c0c502383362b116ef9b02f5c4ced793dc1adfce1ecb230d38e895c638189cb3da26163befd573a56829f83e1e02
-  data.tar.gz: 62da5b2c12d701c05a42b4c8b0d73d134f0054643737b590897dce6c73a04a3185a23e6a6cb2abe10cd3e45aea33679a4d7dac3748ea32399d1b9855ed969bd6
+  metadata.gz: 4ed7cc4556ddce8d742829d068034af94aac9af3c56be50284117dec93136a43ffff9ae00766621b8cf7433b22922ab05392a2ce2891f97d1567ae21487995db
+  data.tar.gz: ca8470d87dc2ea67be427cd37a9e56ccc5be643c72560d59bf8145de29d0dd7752c110740095b66aaf53961c6a0bc5c51848d3afc6473fada90395d7e4d96746

data/README.md

@@ -33,7 +33,7 @@ To communicate over SSL with valid certificate issued from public CA, configure
 
 ```apache
 <source>
-  type secure_forward
+  @type secure_forward
   
   # bind 0.0.0.0 # default
   # port 24284 # default
@@ -55,7 +55,7 @@ For output plugin, specify just 2 options below:
 
 ```apache
 <match secret.data.**>
-  type secure_forward
+  @type secure_forward
   
   self_hostname client.fqdn.local
   shared_key    secret_string
@@ -87,7 +87,7 @@ And then, configure Fluentd with these files and the passphrase. With this confi
 
 ```apache
 <source>
-  type secure_forward
+  @type secure_forward
   
   # bind 0.0.0.0 # default
   # port 24284 # default
@@ -109,7 +109,7 @@ For output plugin, specify just 2 options below:
 
 ```apache
 <match secret.data.**>
-  type secure_forward
+  @type secure_forward
   
   self_hostname myclient.local
   shared_key    secret_string
@@ -137,7 +137,7 @@ For just testing or data center internal communications, this plugin has a featu
 
 ```apache
 <source>
-  type secure_forward
+  @type secure_forward
   
   self_hostname myserver.local
   shared_key    secret_string
@@ -150,7 +150,7 @@ Configure output plugin just same way:
 
 ```apache
 <match data.**>
-  type secure_forward
+  @type secure_forward
   
   self_hostname myclient.local
   shared_key    secret_string
@@ -187,7 +187,7 @@ Minimal configurations like below:
 
 ```apache
 <source>
-  type secure_forward
+  @type secure_forward
   shared_key         secret_string
   self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
   
@@ -200,7 +200,7 @@ To check username/password from clients, like this:
 
 ```apache
 <source>
-  type secure_forward
+  @type secure_forward
   shared_key         secret_string
   self_hostname      server.fqdn.local
   
@@ -223,7 +223,7 @@ To deny unknown source IP/hosts:
 
 ```apache
 <source>
-  type secure_forward
+  @type secure_forward
   shared_key         secret_string
   self_hostname      server.fqdn.local
   
@@ -248,7 +248,7 @@ You can use both of username/password check and client check:
 
 ```apache
 <source>
-  type secure_forward
+  @type secure_forward
   shared_key         secret_string
   self_hostname      server.fqdn.local
   
@@ -290,7 +290,7 @@ Minimal configurations like this:
 
 ```apache
 <match secret.data.**>
-  type secure_forward
+  @type secure_forward
   shared_key secret_string
   self_hostname client.fqdn.local
   
@@ -308,7 +308,7 @@ Without hostname ACL (and it's not implemented yet), `self_hostname` is not chec
 
 ```apache
 <match secret.data.**>
-  type secure_forward
+  @type secure_forward
   shared_key secret_string
   self_hostname ${hostname}
   
@@ -328,7 +328,7 @@ If server requires username/password, set `username` and `password` in `<server>
 
 ```apache
 <match secret.data.**>
-  type secure_forward
+  @type secure_forward
   shared_key secret_string
   self_hostname client.fqdn.local
   
@@ -363,7 +363,7 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
 
 ```apache
 <match secret.data.**>
-  type secure_forward
+  @type secure_forward
   shared_key secret_string
   self_hostname client.fqdn.local
   
@@ -383,7 +383,7 @@ If you connect via Proxy,
 set for `proxy_uri` in `<server>` section:
 ```apache
 <match secret.data.**>
-  type secure_forward
+  @type secure_forward
   shared_key secret_string
   self_hostname client.fqdn.local
 
@@ -398,7 +398,7 @@ set for `proxy_uri` in `<server>` section:
 </match>
 ```
 
-## Senario (developer document)
+## Scenario (developer document)
 
 * server
   * in\_secure\_forward

data/fluent-plugin-secure-forward.gemspec

@@ -1,13 +1,13 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "fluent-plugin-secure-forward"
-  gem.version       = "0.3.4"
+  gem.version       = "0.3.5pre1"
   gem.authors       = ["TAGOMORI Satoshi"]
   gem.email         = ["tagomoris@gmail.com"]
   gem.summary       = %q{Fluentd input/output plugin to forward over SSL with authentications}
   gem.description   = %q{Message forwarding over SSL with authentication}
   gem.homepage      = "https://github.com/tagomoris/fluent-plugin-secure-forward"
-  gem.license       = "APLv2"
+  gem.license       = "Apache-2.0"
 
   gem.files         = `git ls-files`.split($\)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }

data/lib/fluent/plugin/input_session.rb

@@ -196,22 +196,23 @@ class Fluent::SecureForwardInput::Session
   rescue Errno::ECONNRESET => e
     # disconnected from client
   rescue => e
-    log.warn "unexpected error in in_secure_forward", error_class: e.class, error: e
+    log.warn "unexpected error in in_secure_forward from #{host}:#{port}", error_class: e.class, error: e
   ensure
+    log.debug "Shutting down #{host}:#{port}"
     self.shutdown
   end
 
   def shutdown
     @state = :closed
+    log.debug "Shutdown called"
+    @socket.close
     if @thread == Thread.current
-      @socket.close
       @thread.kill
     else
       if @thread
         @thread.kill
         @thread.join
       end
-      @socket.close
     end
   rescue => e
     log.debug "#{e.class}:#{e.message}"

data/lib/fluent/plugin/out_secure_forward.rb

@@ -23,10 +23,12 @@ module Fluent
     config_param :shared_key, :string, secret: true
 
     config_param :keepalive, :time, default: nil # nil/0 means disable keepalive expiration
+    config_param :connection_hard_timeout, :time, default: nil # specifying 0 explicitly means not to disconnect stuck connection forever
 
     config_param :send_timeout, :time, default: 60
     # config_param :hard_timeout, :time, :default => 60
-    # config_param :expire_dns_cache, :time, :default => 0 # 0 means disable cache
+
+    config_param :expire_dns_cache, :time, default: 60 # 0 means disable DNS cache
 
     config_param :ca_cert_path, :string, default: nil
 
@@ -92,6 +94,10 @@ module Fluent
         log.warn "'insecure' mode has vulnerability for man-in-the-middle attacks."
       end
 
+      if @keepalive && !@connection_hard_timeout
+        @connection_hard_timeout = @keepalive * 1.2
+      end
+
       @read_interval = @read_interval_msec / 1000.0
       @socket_interval = @socket_interval_msec / 1000.0
 
@@ -109,7 +115,7 @@ module Fluent
       @next_node = 0
       @mutex = Mutex.new
 
-      @hostname_resolver = Resolve::Hostname.new(system_resolver: true)
+      @hostname_resolver = Resolve::Hostname.new(system_resolver: true, ttl: @expire_dns_cache)
 
       true
     end
@@ -173,7 +179,7 @@ module Fluent
           end
 
           node = @nodes[i]
-          log.debug "reconnecting to node", host: node.host, port: node.port, expire: node.expire, expired: node.expired?, detached: node.detached?
+          log.debug "reconnecting to node", host: node.host, port: node.port, state: node.state, expire: node.expire, expired: node.expired?, detached: node.detached?
 
           renewed = node.dup
           renewed.start

data/lib/fluent/plugin/output_node.rb

@@ -32,6 +32,7 @@ class Fluent::SecureForwardOutput::Node
     @proxy_uri = conf.proxy_uri
 
     @keepalive = sender.keepalive
+    @connection_hard_timeout = sender.connection_hard_timeout
 
     @authentication = nil
 
@@ -47,6 +48,7 @@ class Fluent::SecureForwardOutput::Node
 
     @shared_key_salt = generate_salt
     @state = :helo
+    @mtime = Time.now
     @thread = nil
   end
 
@@ -137,6 +139,7 @@ class Fluent::SecureForwardOutput::Node
     @shared_key_nonce = opts['nonce'] || '' # make shared_key_check failed (instead of error) if protocol version mismatch exist
     @authentication = opts['auth']
     @allow_keepalive = opts['keepalive']
+    @mtime = Time.now
     true
   end
 
@@ -152,6 +155,7 @@ class Fluent::SecureForwardOutput::Node
     else
       ping.push('','')
     end
+    @mtime = Time.now
     ping
   end
 
@@ -177,10 +181,12 @@ class Fluent::SecureForwardOutput::Node
       return false, 'shared key mismatch'
     end
 
+    @mtime = Time.now
     return true, nil
   end
 
   def send_data(data)
+    @mtime = Time.now
     @sslsession.write data.to_msgpack
   end
 
@@ -200,6 +206,7 @@ class Fluent::SecureForwardOutput::Node
         return
       end
       send_data generate_ping()
+      @mtime = Time.now
       @state = :pingpong
     when :pingpong
       success, reason = check_pong(data)
@@ -211,6 +218,7 @@ class Fluent::SecureForwardOutput::Node
       log.info "connection established to #{@host}" if @first_session
       @state = :established
       @expire = Time.now + @keepalive if @keepalive && @keepalive > 0
+      @mtime = Time.now
       log.debug "connection established", host: @host, port: @port, expire: @expire
     end
   end
@@ -282,6 +290,7 @@ class Fluent::SecureForwardOutput::Node
       sslsession = OpenSSL::SSL::SSLSocket.new(sock, context)
       log.trace "connecting...", host: @host, address: addr, port: @port
       sslsession.connect
+      @mtime = Time.now
     rescue => e
       log.warn "failed to establish SSL connection", error_class: e.class, error: e, host: @host, address: addr, port: @port
       @state = :failed
@@ -317,8 +326,11 @@ class Fluent::SecureForwardOutput::Node
     read_interval = @sender.read_interval
     socket_interval = @sender.socket_interval
 
+    @mtime = Time.now
+
     loop do
       break if @detach
+      break if Time.now > @mtime + @connection_hard_timeout
 
       begin
         while @sslsession.read_nonblock(read_length, buf)
@@ -327,11 +339,21 @@ class Fluent::SecureForwardOutput::Node
             next
           end
           @unpacker.feed_each(buf, &method(:on_read))
+          @mtime = Time.now
           buf = ''
         end
-      rescue OpenSSL::SSL::SSLError
+      rescue OpenSSL::SSL::SSLError => e
         # to wait i/o restart
-        sleep socket_interval
+        log.trace "SSLError", error_class: e.class, error: e, mtime: @mtime, host: @host, port: @port
+        if Time.now > @mtime + @connection_hard_timeout
+          log.warn "connection hard timeout", mtime: @mtime, timeout: @connection_hard_timeout, host: @host, port: @port
+          log.warn "aborting connection", host: @host, port: @port
+          self.release!
+          self.detach!
+          break
+        else
+          sleep socket_interval
+        end
       rescue SystemCallError => e
         log.warn "disconnected by Error", error_class: e.class, error: e, host: @host, port: @port
         self.release!

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-secure-forward
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.3.5pre1
 platform: ruby
 authors:
 - TAGOMORI Satoshi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-22 00:00:00.000000000 Z
+date: 2016-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -140,7 +140,7 @@ files:
 - test/plugin/test_out_secure_forward.rb
 homepage: https://github.com/tagomoris/fluent-plugin-secure-forward
 licenses:
-- APLv2
+- Apache-2.0
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -153,12 +153,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Fluentd input/output plugin to forward over SSL with authentications